This is an automated email from the ASF dual-hosted git repository. lukaszlenart pushed a commit to branch fix/plexus-exclusion in repository https://gitbox.apache.org/repos/asf/struts.git
commit cf74a4450c60c616a283ccadd96cae8410fa9e05 Author: Lukasz Lenart <lukaszlen...@apache.org> AuthorDate: Mon Jan 22 09:28:14 2024 +0100 Fixes excluding Plexus container in OWASP scan --- src/etc/project-suppression.xml | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/src/etc/project-suppression.xml b/src/etc/project-suppression.xml index be1c572b1..7b2a1c5fb 100644 --- a/src/etc/project-suppression.xml +++ b/src/etc/project-suppression.xml @@ -132,21 +132,16 @@ <notes><![CDATA[ file name: plexus-utils-1.2.jar]]></notes> <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl> <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe> + <cve>CVE-2022-4244</cve> + <cve>CVE-2022-4245</cve> + <cve>CVE-2017-1000487</cve> </suppress> <suppress> - <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes> - <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl> - <vulnerabilityName>CVE-2017-1000487</vulnerabilityName> - </suppress> - <suppress> - <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes> - <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl> - <vulnerabilityName>Directory traversal in org.codehaus.plexus.util.Expand</vulnerabilityName> - </suppress> - <suppress> - <notes><![CDATA[file name: plexus-utils-1.2.jar]]></notes> - <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus\-utils@.*$</packageUrl> - <vulnerabilityName>Possible XML Injection</vulnerabilityName> + <notes><![CDATA[ file name: plexus-container-default-1.0-alpha-10.jar]]></notes> + <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus\/plexus\-container\-default@.*$</packageUrl> + <cpe>cpe:/a:plexus-utils_project:plexus-utils</cpe> + <cve>CVE-2022-4244</cve> + <cve>CVE-2022-4245</cve> </suppress> <suppress> <notes><![CDATA[file name: oval-1.90.jar]]></notes>